Harden workflows: scope permissions, fix set-output, replace dev-drprasad, remove repository_dispatch, comment notify and spotbugs

Author: cx-luis-ventuzelos

.github/workflows/ci.yml

@@ -82,8 +82,8 @@ jobs:
       - name: Build with Maven
         run: mvn -B verify -DskipTests -Dgpg.skip --file pom.xml
 
-      - name: Run SpotBugs Analysis
-        if: ${{ github.actor != 'dependabot[bot]' }}
-        uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2
-        with:
-          path: '**/spotbugsXml.xml'
+      # - name: Run SpotBugs Analysis
+      #   if: ${{ github.actor != 'dependabot[bot]' }}
+      #   uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2
+      #   with:
+      #     path: '**/spotbugsXml.xml'

.github/workflows/nightly.yml

@@ -5,20 +5,24 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   delete_tag:
+    permissions:
+      contents: write
     runs-on: cx-public-ubuntu-x64
     steps:
-      - name: Delete release
-        uses: dev-drprasad/delete-tag-and-release@8cd619d00037e4aeb781909c9a6b03940507d0da  # v1.0.1
+      - name: Delete release and tag
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          delete_release: true
-          tag_name: 1.0.0-SNAPSHOT
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release delete "1.0.0-SNAPSHOT" --yes --cleanup-tag --repo ${{ github.repository }} || true
+
   nightly:
     needs: delete_tag
-    uses: CheckmarxDev/ast-cli-java-wrapper/.github/workflows/release.yml@main
+    uses: Checkmarx/ast-cli-java-wrapper/.github/workflows/release.yml@main
     with:
       tag: "1.0.0-SNAPSHOT"
       dev: true

.github/workflows/release.yml

@@ -32,8 +32,14 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: cx-public-ubuntu-x64
     outputs:
       CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }}
@@ -57,7 +63,7 @@ jobs:
           CLI_VERSION=$(./src/main/resources/cx-linux version | grep -Eo '^[0-9]+\.[0-9]+\.[0-9]+')
           echo "CLI version being packed is $CLI_VERSION"
           echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_ENV
-          echo "::set-output name=CLI_VERSION::$CLI_VERSION"
+          echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_OUTPUT
 
       - name: Check if CLI version is latest
         if: ${{ github.event.inputs.dev == 'false' && !github.event.inputs.cliTag && github.ref == 'refs/heads/main' }}
@@ -85,7 +91,7 @@ jobs:
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
           git tag -a "${tag}" -m "${message}"
           git push origin "${tag}"
-          echo "::set-output name=TAG_NAME::${{ inputs.tag }}"
+          echo "TAG_NAME=${{ inputs.tag }}" >> $GITHUB_OUTPUT
 
       - name: Cache local Maven repository
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
@@ -131,26 +137,26 @@ jobs:
           tag_name: ${{ inputs.tag }}
           prerelease: ${{ inputs.dev }}
 
-  notify:
-    if: inputs.dev == false
-    needs: release
-    uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
-    with:
-      product_name: Java Wrapper
-      release_version: ${{ needs.release.outputs.TAG_NAME }}
-      cli_release_version: ${{ needs.release.outputs.CLI_VERSION }}
-      release_author: "Sypher Team"
-      release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }}
-      jira_product_name: JAVA_WRAPPER
-    secrets: inherit
+  # notify:
+  #   if: inputs.dev == false
+  #   needs: release
+  #   uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
+  #   with:
+  #     product_name: Java Wrapper
+  #     release_version: ${{ needs.release.outputs.TAG_NAME }}
+  #     cli_release_version: ${{ needs.release.outputs.CLI_VERSION }}
+  #     release_author: "Sypher Team"
+  #     release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }}
+  #     jira_product_name: JAVA_WRAPPER
+  #   secrets: inherit
 
-  dispatch_auto_release:
-    name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version
-    if: inputs.dev == false
-    needs: notify
-    uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main
-    with:
-      cli_version: ${{ needs.release.outputs.CLI_VERSION }}
-      is_cli_release: false
-      is_java_release: true
-    secrets: inherit
+  # dispatch_auto_release:
+  #   name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version
+  #   if: inputs.dev == false
+  #   needs: notify
+  #   uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main
+  #   with:
+  #     cli_version: ${{ needs.release.outputs.CLI_VERSION }}
+  #     is_cli_release: false
+  #     is_java_release: true
+  #   secrets: inherit

.github/workflows/update-cli.yml

@@ -2,8 +2,6 @@ name: Update checkmarx ast cli
 
 on:
   workflow_dispatch:
-  repository_dispatch:
-    types: [cli-version-update]
 
 permissions:
   contents: read
@@ -31,8 +29,8 @@ jobs:
       - name: Get Latest Checkmarx API version
         id: checkmarx-ast-cli
         run: |
-          echo ::set-output name=release_tag::$(curl -sL https://api.github.com/repos/checkmarx/ast-cli/releases/latest | jq -r ".tag_name")
-          echo ::set-output name=current_tag::$(<checkmarx-ast-cli.version)
+          echo "release_tag=$(curl -sL https://api.github.com/repos/checkmarx/ast-cli/releases/latest | jq -r '.tag_name')" >> $GITHUB_OUTPUT
+          echo "current_tag=$(<checkmarx-ast-cli.version)" >> $GITHUB_OUTPUT
 
       - name: Update Checkmarx cli version
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag